Down The Security Rabbithole

I want to thank our guests - Beau Woods and Joe Knape for joining us this morning. It was great to have these two well-versed commentators on the show ...vote with your downloads folks - if you want to make this a regular thing leave us a comment! Topics Covered RedHack 'hacks' Turkish police website, stops border traffic? - http://www.hurriyetdailynews.com/redhack-hacks-turkish-police-website-as-border-traffic-grounds-to-a-halt.aspx?pageID=238&nID=53904&NewsCatID=341 A few thoughts on the NSA/Crypto from Matthew Green's blog - http://blog.cryptographyengineering.com/2013/09/on-nsa.html The FTC settles with TRENDnet (the webcam shouting obscenities at the 2yr old story) - http://www.bostonglobe.com/business/2013/09/04/ftc-settles-complaint-over-hacked-security-cameras/uYjAuRcb4uCz51Zt1HSGbP/story.html Citi ordered to pay $10.86/record, more harm than good - http://www.infosecurity-magazine.com/view/34328/citi-ordered-to-pay-55k-to-connecticut-over-2011-data-breach NY Times hacked (again) but this tim

Every once in a while this podcast has a guest who makes us truly feel blessed to be doing this - Rob Dubois is one of those people. If you don't know anything about Rob, go read his website, listen to this podcast and check out his book. He is a real American hero, a fantastic human being, and a true patriot. On behalf of James and I - I want to extend a hearty thank you for the time Rob spent, and wisdom he's imparted. In this episode... Rob Dubois on being a 'badass' the parable of the blind wise men and the elephant be reachable and teachable (be a RAT) the collision of boots, bits, and threats the arrogance of security professionals are a weakness fail early, fail often - learn from it why plans are useless, and planning is essential a George Carlin quote, and a "The Office" reference a brutal lesson from PoW training Guest Rob Dubois ( @RobDubois ) - Rob is currently best-known for his book "Powerful Peace - A Navy SEAL's Lessons on Peace from a Lifetime at War". I can't possibly do Rob justice but t

Since James is out this week with something called "work", I've pulled in two friends (affectionately known as "The Joshes") Josh Marpet and Josh C. Big thanks for these fine gentlemen for stepping in and co-chairing this Monday morning quarterback session... I hope you enjoy! Topics Covered Fraudsters target "wire payment switch" at banks to steal millions - http://www.scmagazine.com/fraudsters-target-wire-payment-switch-at-banks-to-steal-millions/article/307755/# Insurer to Schnucks: We won't pay for lawsuits related to your breach - http://www.scmagazine.com/insurer-to-schnucks-we-wont-pay-for-lawsuits-related-to-your-breach/article/307960/# NASDAQ has a "technical glitch" ... halts trading in the middle of the day - http://www.eweek.com/security/nasdaq-trading-halted-by-technical-issue/ Apple App Store infiltrated by researchers' Jeckyll malware - http://www.nbcnews.com/technology/apple-app-store-infiltrated-researchers-jekyll-malware-6C10945771 Hacker takes over baby-monitoring IP cam, shouts obsceniti

In this episode... Rob gives us a little history lesson Rob keeps going on the history lesson, IDS, open vs. closed circuits We discuss "defense in depth" from back-in-the-day James re-introduces us to the "security onion" Rob talks about "programming for super-high-speed" and scale Constructing things to truly "build scalability in"... Designing networks as a front-end vs. back-end architecture Rob points out that network diagrams are always wrong Guest Robert Graham ( @ErrataRob ) - No, this is not Robert Graham the clothing designer, this is Robert Graham the guy who pioneered the IDS. In Robert's own words ... "I am a well-known security research (aka. "white-hat" hacker). I created the BlackICE personal firewall in 1998. I invented the first network intrusion prevention system (IPS) "BlackICE Guard" in 1999, which is now sold as "Proventia" by IBM."

Topics Covered The trash bin that stalked me (seriously, only in London) - http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/ and a follow-up as we recorded today: http://www.bbc.co.uk/news/technology-23665490 No data breach in Indianapolis, after laptop stolen/recovered - http://www.theindychannel.com/news/call-6-investigators/state-no-data-breach-after-stolen-laptop-traced-to-indy-home DDoS blackmail in Manchester (UK) FAIL - http://www.manchestereveningnews.co.uk/news/greater-manchester-news/two-held-over-attempted-blackmail-5680548 US national health push ("Obamacare") falling behind on security testing...who's surprised? - http://au.news.yahoo.com/technology/news/article/-/18390597/obamacare-months-behind-in-testing-it-data-security-government/ Weird password 'feature' in Chrome... - http://blog.elliottkember.com/chromes-insane-password-security-strategy

In this episode... Dave reminisces a bit... Dave discusses 'digitall signed malware' and that it means We discuss whether it's true that 'all networks are compromised' We discuss consumer-grade vs. corporate-grade threats, and why they're different An interesting point by Dave about why enterprises aren't learning from their compromises We discuss customized malware, with specific and targeted payloads for specific systems Dave talks about whether 'compat the criminal, hire the criminal' is true Guest Dave Marcus ( @DaveMarcus ) - Dave is currently the Chief Architect, Advanced Research and Threat Intelligence McAfee Federal Advanced Programs Group. He's been around the industry for a long time, and has influenced countless numbers of researchers. He is well known as a fantastic speaker, subject-matter expert and generally a badass, and I feel lucky enough to call him my friend.

Ladies and gentlemen, we are over the 50 episodes mark!  If you've enjoyed the podcast, please go rate us in the iTunes store, or leave us a note here. Have you checked out past episodes?! There are some gems in there, I promise, and worth your time. Topics Covered Charlie Miller and Chris Valasek demonstrated (and will disclose code to) the hack which allows complete (tethered) remote control of a modern vehicle. You need to watch this video, and if you develop code for transport vehicles and aren't thinking about securing your code - it's time to adjust course before you actually kill someone - http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/ and this is how the UK 'muzzled' a researcher who did something similar - http://www.theregister.co.uk/2013/07/28/birmingham_uni_car_cracker_muzzled_by_lords/ Apple demonstrates how not to do breach disclosure, while Ibrahim Balic demonstrates how to jump into the spotlight (and put foot in mout

Welcome down the rabbithole as we hit EPISODE 50! I'm thrilled that we've made it this far, and look forward to having you along for the ride into the future! At this point, I'd like to encourage you to listen to some of the fascinating guests we've had on this show, people I'm proud to have had a chat with, in the past archives... suggest guests, or just leave us a comment. /Wh1t3Rabbit In this episode... We try and discuss 'defense in depth' on the geopolitical scale @packetknife drops the truth about 'geopolitics experts' in InfoSec Ali explains navigating the undocumented security requirements in emerging markets We talk about whether all this stolen data from enterprise has actually made a difference Ali discusses the 'western sense of intellectual property' (eye-opening!) Deperimeterization - why #InfoSec must adapt this RIGHT NOW, but seems allergic to it Ali drops 'lawfare' on us - and why #InfoSec must know its options Wwe discuss why people 'generally just don't get it' when it comes to moving to

Topics Covered 9 Years After Shadowcrew, Feds Get Their Hands on Fugitive Cybercrook http://www.wired.com/threatlevel/2013/07/bulgarian-shadowcrew-arrest vBulletin Forums compromised (~15-~150k) to serve malware http://news.softpedia.com/news/Around-150-000-vBulletin-Forums-Compromised-Abused-to-Serve-Malware-366442.shtml America's EAS (Emergency Alert System) is open to compromise (still) http://www.wired.com/threatlevel/2013/07/eas-holes/ Mobile malware up 614% y/y says Juniper, but mostly Android http://www.computerworld.com/s/article/9240772/Mobile_malware_mainly_aimed_at_Android_devices_jumps_614_in_a_year Blue Box Security finds "master key" issue with Android - but there's more to it http://www.zdnet.com/android-oems-slow-to-roll-out-bluebox-security-patch-7000018012/

In this episode... We get a little insight into the mind of Tomer, and how he thinks about security We get an insight into what HP Software IT Management is doing to ensure security in the products they release We discuss making security more than just a security line-item, and a business requirement There are many "uncomfortable pauses" :) We discuss Tomer's risk-focused approach to software quality We ask "Is HP drinking it's own champagne?" Tomer gives us his feeling on DevOps Guest Tomer Gershoni - Tomer is the Information Security Officer responsible for product security for a select part of HP Software known as IT Management. Previous to that he was the CISO for HP Software-as-a-Service for over 3 years based out of Yehud, Israel. Tomer has over 10 years experience in Information Security and a background in software security. He is a very interesting individual, and his public profile can be found on LinkedIn here: http://il.linkedin.com/in/tomergershoni

*Apologies for this very important episode getting out a bit late ladies and gents, experienced a loss in the family so things were a little slow to re-start, we should be back on track for next week's episode. Topics Covered Political hacktivism is making a big splash in international news -  http://www.ilovechile.cl/2013/06/17/chile-democratic-partys-official-site-hacked/87737 http://www.kjrh.com/dpp/news/local_news/jenks/jenks-chamber-of-commerce-website-hacked-for-second-time-within-a-month http://www.publicnewshub.com/zimbabwean-hackers-hailed-for-attacking-ancs-website/ http://www.bignewsnetwork.com/index.php/sid/215436810/scat/b8de8e630faf3631/ht/South-and-North-Korea-close-website-amid-hacking-alerts http://www.business-standard.com/article/pti-stories/syria-s-online-troops-wage-counter-revolutionary-cyber-war-113060900065_1.html http://www.ehackingnews.com/2013/06/turkish-ministry-of-interior-website.html Google Published their epic Transparency Report data http://krebsonsecurity.com/2013/06/web

In this episode... The gang discusses the issues with the rapid escalation of connectivity in modern-day industrial control systems What specialized skills are needed to be a SCADA or ICS hacker A nervous pause as vulnerabilities in ICS systems which could affect the adult beverage industry are touched upon Discussion on how to deal with 25 year patch cycles Why is it that embedded devices simply don't get patched like your other systems? What are the real issues with ICS systems, and why they're not getting enough attention...yet Guest Mr. Billy Rios ( @XSSniper ) - In addition to being a long-time friend of mine, and one of the most knowledgable and humble people in the hacking space, Billy is currently a Technical Director and the Director of Consulting for Cylance. Billy is an accomplished web application hacker releasing an XSS tool which is currently his Twitter handle. While being a "big picture" guy, Billy also tackles some of the most complex large-scale ICS issues, and with his team works to ide

This week, James is flying solo on the microphone catching you up on all the latest news and BIG stories since I'm at HP Discover, Las Vegas and Suits and Spooks in La Jolla, CA. A busy week all the way around, some pretty earth-shattering news coming out! Topics Covered We couldn't be the only ones NOT covering the big NSA leak and revelations of spying and other surveillance. Somewhere in the hype, though, is the enterprise story of insider threat - http://www.guardian.co.uk/world/2013/jun/09/nsa-secret-surveillance-lawmakers-live Google Glass is in the news, again, this time from an enterprise perspective. In light of the slight insider threat problem revealed lately, how will Google's glasses impact security, and society in general for good or evil? - http://www.computerworld.com/s/article/9240077/Google_Glass_could_get_a_look_at_the_enterprise Apple made the news with iOS7 and the big "kill switch" feature, is this really a good idea that actually works or a desperate gimmick to demonstrate innovation?

In this episode... We discuss the true nature of many of the security products decisions CISOs have to make every day Frank and Raf make very poorly thought-out sports analogies There are uncomfortable length of silence (mostly edited out) The crew discusses NSS Labs, and what they do to help the CISOs out there make smarter decisions "Someone" asks about anti-virus... [ More info on NSS Labs and the two guests today can be found here: https://www.nsslabs.com/analysts and https://www.nsslabs.com/ ] Guests Frank Artes ( @franklyfranc ) - Research Director Francisco Artes is a recognized information security executive who has helped form some of the motion picture & television industry’s best practices for securing intellectual property.  Artes is also know for his work with on cybercrime, hacking and forensic security issues with various federal, state and local government and law enforcement agencies such as the US Dept. of Homeland Security, the FBI, the Texas Rangers, US Marshals and several others.

It's June already?! Where has the first half of 2013 gone? James and I break down the last 2 weeks of interesting InfoSec news in a short "Monday morning quarterback" style... enjoy! Topics Covered Evernote adds 2-step veficication for their authentication, and follows suit with just about every other 'modern' app. Following on the hells of Twitter, LinkedIn, FaceBook, Apple and the one that started it all, Google - we're now getting multi-step authentication from Evernote. Free users not welcome ...yet? - http://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/ Dropbox down for more than an hour, but it wasn't a security bug (we don't think), it's just that they had 'technical difficulty'. If you depend on Dropbox for your file synchronization services, you knew this happened - http://www.computerworld.com/s/article/9239648/Dropbox_goes_down_for_more_than_an_hour NIST 500-299 "Cloud COmputing Security Reference Architecture" document is released. There's a bit of irony here, as the d

In this episode... John discusses some of the foundational principles of Threat Modeling We talk about why threat modeling is like your time in high school We discuss why threat modeling is such an incredibly important tool to the enterprise John gives us some nuggets of his experience with threat modeling enterprise applications Guest John Steven ( @m1splacedsoul ) - John Steven is the Internal CTO at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows,

Welcome to Monday, May 20th 2013 as James and I discuss the last 2 weeks' worth of Information Security news and relate it (attemptively) to your enterprise day-job. This week was a bit on the lighter side, with the quote of the year (as far as I'm concerned) winner going to the Washington State Administrative Office of the Court for ...well, you'll just have to read the rest of the show notes and listen to the podcast. Also ... we are now on the Zune store. So ...to the 2 new Zune listeners - HELLO! Topics Covered Researches at Trend Micro uncover new cyberespionage campaign call it SafeNet (in unrelated news SafeNet the security company had nothing to do with this...). Yet another cyberespionage campaign targeting users with revolutionary new technique called "phishing", and using a vulnerability in Microsoft software patched in April 2012, originating from ... China! -  http://www.computerworld.com/s/article/9239342/Researchers_uncover_SafeNet_a_new_global_cyberespionage_operation Domain registrar, Name.

In this episode... Kevin, James and I discuss why penetration testing reports are often so worthless Kevin and I disagree. Then we agree, sort of. We discuss the major differences between the 'builder' and 'breaker' mindset, and whether they're actually different people Kevin gives some fantastic examples of how context and experience is critical in penetration testing We provide guidance no how someone can 'break into' (no pun intended) penetration testing and be effective Kevin gives an example of how someone can be a great penetration tester, but be of little value beyond that We wrap by disussing how enterprises can gain value from penetration testing- and Kevin provides an interesting strategy Guest Kevin Johnson ( @SecureIdeas ) - Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting secu

It's another beautiful Monday (somewhere) and we've got the news of the last 2 weeks covered, and we're breaking it down for you. The news this week is, well, quite frankly kind of dark. Everything tells us we're in for a rough ride for the rest of the year, and it's only getting worse. If I sound a little funny, it's because I'm talking through a massive sinus infection and it's making me talk funny and stuffy.  Also the recording you hear is take 2 ... I had a major technology fail so we had to re-record, with less sadness. Topics Covered We are happy to report that Justin Beiber is in fact, not coming out of the closet and E! Online was only hacked by those wacky military hackers from the Syrian Electronic Army. Apparently they've been on quite the hacking spree of media outlets and even put a major - albeit brief - dent in the stock market! - http://www.nydailynews.com/entertainment/e-online-twitter-account-hacked-article-1.1335214 The US Department of Labor was hacked, in what appears to be a very targ

In this episode... Live (live-to-tape) from 44Con, London, England. It's amazing, listening to this episode recorded at 44Con last fall, how little the landscape of enterprise security has changed. I took some time during the busy conference to sit down with Ian Amit and Dennis Groves to discuss Ian and my talks (which were perfectly aligned, and completely unplanned!) on the state of security in the enterprise. It's always interesting to get the perspective from 2 industry-well-known speakers and thinkers. We discuss the topics of #SecBiz including the role of security in the enterprise, the challenges business security professionals face, metrics and why we have some of the crazy change management failures in security. We laugh, we almost start to cry - but ultimately come to the realization that we need change. Ian and Dennis and I are working on driving that change! Guests Iftach Ian Amit ( @iiamit ) - Seasoned manager in the security and software industry with vast experience in a myriad areas of softwa